Banner grabbing – it ain’t exactly rocket science. It ain’t something the government is too much concerned about, either. In all its essence, it’s all about getting to know what lives on remote target. Be it discovered from open ports or a webpage – it’s always nice to know what we’re communicate with. Much is written about discovering CMS’s and web servers. Today I’ll give you quick intro to banner grabbing SSH. And no, the government doesn’t give a rats ass about it (clickbait o’hoy).
In all its glory you only need Telnet, but I’ll show you some different techniques.
$ telnet xxx.xxx.xxx.xxx 22 Trying xxx.xxx.xxx.xxx ... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
$ nc -v xxx.xxx.xxx.xxx 22 xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] 22 (ssh) open SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
nmap -sV -p 22 xxx.xxx.xxx.xxx Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-25 16:06 CET Nmap scan report for xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) Host is up (0.021s latency). rDNS record for 126.96.36.199: shell.openshells.net PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 4.15 seconds
Using any of these three techniques should yield success. However, there are plenty of tools out there that will do the same job. I’ve tried some of them and found it easier to go along with what’s present on most Linux systems (or Macs).